How many resources should be invested in security and when?
Investments in security should be treated like any other investments - such as those in marketing, personnel, hardware or software. As with these other areas, you should ask yourself the following fundamental questions:
- What additional revenue can we generate by investing in security?
- What might happen if we do not invest sufficiently in security?
- How likely is it that an adverse event will occur?
The answers to these questions depend on a variety of factors, including industry, company size, competition and corporate goals. Despite the significant differences between companies, some pieces of advice have proven universal:
- Immediate Action: Every security flaw identified during a penetration test that could lead to a data breach in a single step must be addressed immediately.
- High Severity Issues: Every security flaw with a high severity score (i.e., greater than 7) must be promptly integrated into your work process.
- Resource Allocation: Depending on the industry, 10% to 20% of your development capacity should be allocated to security in the long term.
We will typically communicate these general rules during our final meeting, tailoring them to your specific situation.
However, the devil is in the details: What exactly does “immediately” mean? Should you thoroughly test a patch beforehand - thus delaying its deployment - or apply an untested patch, arguing that it is better to have an inoperable website than one that loses customer data? Balancing these competing risks is a consistent challenge in security management.
Fundamental documentation of risk management
This is where our consulting services come into play. A senior consultant will work with you to compile a list of fundamental questions and collaboratively develop answers. From this foundation, you can derive specific processes and actionable guidelines. More importantly, our consultant will help you establish a process for addressing key risk management questions - ensuring that every consideration and justification is properly documented.
We also assist you in choosing the optimal format for this documentation. In many cases, an Excel file will suffice; however, for more complex situations, we can help you select suitable software. You can rely on our experience and, above all, our independent advice, since we do not accept payments (kickbacks, etc.) from third parties under any circumstances.
Documenting your fundamental risk guidelines offers a range of advantages:
- Clarity for Developers: Derived guidelines - such as programming guidelines - are easy for developers to understand, ensuring they can be implemented effectively over the long term.
- Effective Onboarding: New employees can be specifically trained to adhere to these fundamental guidelines from day one.
- Incident Preparedness: In the event of a security incident, management can demonstrate that appropriate security measures were initiated.
- Continuous Improvement: After each security incident, you can review and, if necessary, adjust both the implementation and the guidelines.
- Informed Investments: Future investments in software, services and other areas can be evaluated against these risk assessments to ensure that every step in the value chain meets the required security standards.
Continuous documentation of current risks
In a second step, we help you incorporate the current risks identified during penetration tests into your documentation. This ensures that you always have an up-to-date overview of which risks have been addressed and which remain open.
Over time, your risk documentation will help you optimize the security efforts within your development process. If the number of outstanding issues decreases, you can be confident that your current security measures are effective. However, if new risks are added faster than existing ones are mitigated, you will need to either adjust your processes or allocate more resources to security. Additionally, this documentation makes it easier to identify duplicate issues and combine measures - almost always leading to greater efficiency.
Finally, when new exploits are discovered, you can quickly determine whether you are affected and identify which components need to be replaced or patched to reduce your attack surface.
Transformation based on risk management
Often, a company’s first penetration test reveals that continuous security efforts are necessary at every level. In such cases, there is frequently a significant mismatch between the tasks requiring immediate attention and the available resources. Even when both the readiness and the financial commitment are present, implementing remediation measures simply takes time.
Moreover, the sheer volume of risks can itself create new risks - for example, by causing individual issues to be overlooked or by prolonging the risk assessment process.
In this critical initial phase, we assist you in conducting a triage to quickly identify the highest-impact risks while ensuring that nothing is missed. We also present you with various, non-obvious options for action that can help you prevent worst-case scenarios swiftly and with minimal effort.
For instance, one customer was using an outdated - and therefore vulnerable - library to manage business rules. The obvious solution would have been to update the library to its latest version. However, in this particular case, the update was too time-consuming because it introduced massive differences in the syntax and semantics of the business rules compared to the version in use. Rewriting these rules was an option, but the required technical testing would have been unacceptably lengthy.
Instead, we introduced an external firewall for the customer (in this case, Akamai) and mitigated the vulnerability with a customer-specific rule. While this was not a perfect solution, it enabled the customer to address a serious security vulnerability within three days—a process that would have otherwise taken months.
Thanks to our extensive consulting experience, we can often significantly reduce the time required to restore secure operations.